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April 30, 2019 


CALIFORNIA CONSUMER PRIVACY ACT UPDATE — 
CALIFORNIA STATE COMMITTEES VOTE ON AMENDMENTS 


To Our Clients and Friends: 

In the last two weeks, California legislative committees voted on several amendments to the California 
Consumer Privacy Act (CCPA), which is due to go into effect January 1, 2020. While each proposal 
requires additional approvals, including full Assembly and Senate votes, the committees’ determinations 
provide an important development in the ongoing roll-out of the CCPA, what it will ultimately require, 
and how to address compliance. 

The California Assembly’s Privacy and Consumer Protection Committee approved amendments that 
included narrowing the scope of personal information, and effectively exempting employee-related 
information from coverage under the Act. In addition, the Senate Appropriations Committee 
unanimously approved S.B. 561 yesterday, T which would expand the private right of action against 
entities that violate the CCPA, and is supported by Attorney General Xavier Becerra. [2] These 
amendments, and any other legislative amendments or clarifications, will be further supplemented by 
the Attorney General Office’s promulgation of regulations, still anticipated to be issued for public 
comment by Fall 2019. 

The following is a summary of each of the amendments voted on in the past week, and a chart exhibiting 
the key changes to the existing language of the CCPA. As always, we will continue to monitor these 
important updates. 

Senate 

The Senate Judiciary Committee and the Senate Appropriations Committee both voted this month to 
augment the private right of action for violations of the CCPA with S.B. 561. Under the current version 
of the CCPA, consumers only have a private right of action for certain unauthorized disclosures of their 
data. S.B. 561 would permit a private right of action for any violation of the CCPA, broadly expanding 
the potential exposure businesses may face. The bill further removes the 30-day cure period for 
violations before claims can be brought by the Attorney General. Finally, the amendment removes the 
provision permitting businesses and third parties to seek guidance directly from the Attorney General, 
replacing it with a statement that the Attorney General may publish materials to provide general guidance 
on compliance. 

Assembly 

Several bills in the Assembly also continued to gain traction with a positive vote from the California 
Assembly’s Privacy and Consumer Protection Committee: 
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A.B. 25 redefines “consumer” to exclude employees, contractors, agents, and job applicants, so 
long as their personal information is only collected and used by the business in that context; 

A.B. 873 modifies the definition of “personal information” to narrow its scope—including by 
removing information relating to a household, and information “capable of being associated 
with” a consumer—and also redefines “deidentified” data; 

A.B. 1564 would require businesses to make available to consumers a toll-free telephone number 
or an email address for submitting requests, and require businesses with websites to make those 
website addresses available to consumers to submit requests for infonnation; 

A.B. 846 would modify the way businesses can offer financial incentive plans to consumers in 
exchange for their data; 

A.B. 1146 would exempt vehicle and ownership data collected by automotive dealers and shared 
with the manufacturers of the vehicle sold if the vehicle information is shared pursuant to, or in 
anticipation of, a vehicle repair relating to a warranty or recall; and 

A.B. 981 would exempt certain insurance institutions subject to the Insurance Information and 
Privacy Protection Act (IIPPA) from the CCPA, and would incorporate certain disclosure and 
other privacy requirements into the IIPPA to be in line with the CCPA. 

Notably, a proposal to revoke and revamp the CCPA, A.B. 1760—which would have required obtaining 
opt-in consent from consumers before sharing (not just selling) personal information, and would have 
generally broadened consumers’ rights under the Act—was taken off hearing, and will not move forward, 
at least at this time. 

Potential Impact of the Amendments on Businesses 

Arguably the most important changes to the CCPA for businesses interacting with California consumers 
are the proposed amendments set out in S.B. 561; expanding the private right of action to any violations 
of the Act has the potential to significantly increase the number of suits brought by individuals, including 
data privacy class actions, and magnify the resulting financial impact of the Act businesses interacting 
with state residents. As before, in anticipation of this potential amendment, it is important for businesses 
to work now to analyze steps necessary to ensure compliance with the various provisions likely to go 
into effect, including as discussed in our previous client alerts ( California Consumer Privacy Act of 2018 
(July 2018) and New California Security of Connected Devices Law and CCPA Amendments (October 
2018)). In general, businesses should ensure that they understand the type, nature, and scope of 
consumer data they have collected, including where it is stored; create the processes to comply with the 
disclosure and other, technically difficult rights (including a Do Not Sell opt-out link on their website, 
and a request verification and disclosure process); revise service provider agreements for compliance; 
and review their privacy policies, both internal and public, to ensure that they are properly disclosing 
how personal data is collected, used, and potentially shared with third parties. 
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Certain of the proposed Assembly bill amendments, on the other hand, may serve to narrow the impact 
on businesses, particularly related to the scope of personal information at issue. The modifications in 
A.B. 25, clarifying that the CCPA is not intended to cover employees’ data, could minimize the impact 
on companies that generally do not collect California residents’ personal information other than as a 
result of being an employer of Californians, and also minimize logistical issues that would otherwise 
arise if businesses have to allow employees to exercise the rights afforded by the Act. Rather, it would 
shift the impact of the CCPA primarily to those businesses that rely on collecting data as a part of their 
business model. 

The scope of personal information would be further narrowed if A.B. 873 passes, as it may eliminate 
some of the broader reaching—and more confusing—applications of CCPA, to household data and data 
that is “capable of being associated with” a consumer. The remaining language focuses on information 
that is li nk ed directly, or indirectly to a particular consumer. This will also clarify some concern 
expressed at multiple public forums on the CCPA, regarding how verifications for data requests should 
work when the individual is requesting household data. 

A.B. 873 also redefines “deidentified,” and while several of the same guardrails would exist, the new 
definition would specifically require (1) contractual prohibitions on recipients of data to not reidentify 
such deidentified personal information, and (2) a public commitment to not reidentify the data, which 
may require certain internal and third party contract provision revisions, and suggested modifications to 
the language in consumer-facing privacy policies. As a result, it may be important for businesses to re¬ 
evaluate their contracts with suppliers, distributors, and contractors to ensure compliance for any use of 
deidentified data. 

Logistically, A.B. 1564 would offer businesses some relief from providing a toll-free telephone number 
for requests related to the Act, offering instead an option of an email address or a telephone number, and 
a website address for consumers to access. While many businesses may have already included an email 
address for compliance with related laws, instituting a telephone number for such requests may impose 
additional logistical issues for businesses under the current text of the law. 

Finally, for entities offering customer loyalty programs, the new provisions of A.B. 846—replacing the 
financial incentive provisions—will require particular attention, if passed. Primarily, businesses will 
need to ensure the offerings and their value must be “reasonably” related to the value of the data 
collected, though there may be latitude on what incentives are possible. 

Comparison of Proposed Language to Original 

The following chart provides a comparison of what would be key changes to the language of the CCPA 
as a result of the more broadly applicable amendments currently moving through the California 
legislature. The language crossed out in the Original Language column indicates what has been deleted 
from the current language of the Act, while the bolded language in the Proposed Amendment column 
shows what language has been added. That column contains what would be the final text if these 
amendments are adopted. We will continue to monitor the progress of these amendments, and will 
provide updates, accordingly. [3] 
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Concept Original Language 


Introducing 
Private Right of 
Action for Any 
Violation of the 
Act 


(a) (1) Any consumer whose 
nonencrypted or nonredacted personal 
information, ... is subject to an 
unauthorized access . . . may institute a 
civil action for any of the following . . . 


(S.B. 561) 


Excluding (g) “Consumer” means a natural person 

Employees from who is a California resident. . . 

the Definition of 
Consumer 


(A.B. 25) 


(Proposed Amendment 

(a) (1) Any consumer whose rights 
under this title are violated, or 
whose nonencrypted or nonredacted 
personal information ... is subject to 
an unauthorized access . . . may 
institute a civil action for any of the 
|following 


(g) (1) “Consumer” means a natural 
person who is a California resident. . . 

(g) (2) “Consumer” does not include 
a natural person whose personal 
information has been collected by a 
business in the course of a person 
acting as a job applicant to, an 
employee of, a contractor of, an 
agent on behalf of the business, to the 
extent the person’s personal 
information is collected and used 
solely within the context of the 
person’s role as a job applicant to, an 
employee of, a contractor of, or an 
(agent on behalf of the business. 


Redefining 

Deidentified 


(A.B. 873) 


“Deidentified” means information that “Deidentified” means information that 
cannot reasonably identify, relate to, does not reasonably identify or link, 
describe, be capable of being associated directly or indirectly, to a particular 
with, or be linked, directly or consumer, provided that the business 

indirectly, to a particular consumer, makes no attempt to reidentify the 
provided that a business that uses information, and takes reasonable 
deidentified information: technical and administrative 

measures designed to: 


(1) Has implemented techn ical 

safeguards that prohibit reidentification (1) Ensure that the data is 
of the consumer to whom the deidentified. 

information may pertain. 


(2) Publicly commit to maintain and 

(2) Has implemented business use the data in a deidentified form. 

processes that specifically prohibit 

reidentification of the information. 
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(3) Contractually prohibit recipients 
of the data from trying to reidentify 
the data. 
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information. 

Excluding 
Household and 
Information 
“capable of 
being associated 
with” from the 
Definition of 
“Personal 
Information” 

(A.B. 873) 

“Personal information” means 
information that identifies, relates to, 
describes, is capable of being 
associated with, or could reasonably be 
linked, directly or indirectly, with a 
particular consumer or household. 
Personal information includes, but is 
not limited to, the following if it 
identifies, relates to, describes, is 
capable of being associated with, or 
could be reasonably linked, directly or 
indirectly, with a particular consumer 
or household. 

‘Personal information” means 
information that identifies, relates to, 
describes, or could reasonably be 
inked, directly or indirectly, with a 
particular consumer. Personal 
information may include, but is not 
imited to, the following if it identifies, 
relates to, describes, or could be 
reasonably linked, directly or 
indirectly, with a particular consumer. 

Prescribing 
Methods of 
Contacting 
Businesses 

(A.B. 1564) 

(1) Make available to consumers two or 
more designated methods for 
submitting requests for information 
required to be disclosed pursuant to 
Sections 1798.110 and 1798.115, 

1) (A) Make available to consumers a 
toll-free telephone number or an 
email address for submitting requests 
fir information required to be disclosed 
pursuant to Sections 1798.110 and 
1798.115. 

T3) If the business maintains an 
internet website, make the internet 
website available to consumers to 
submit requests for information 
required to be disclosed pursuant to 
Sections 1798.110 and 1798.115. 

telephone number, and if the business 
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site address. 

Clarifying Non¬ 
discrimination 
Provision re 
Financial 
Incentives: 
Removing in 
Favor of 
Customer 

(a) (1) A business shall not 
discriminate against a consumer 
because the consumer exercised any of 
the consumer’s rights under this title, 
including, but not limited to, by: 

a) (1) A business shall not 
discriminate against a consumer 
pecause the consumer exercised any of 
the consumer’s rights under this title, 
including, but not limited to, by: 
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Loyalty 

Programs 

(A.B. 846) 


(B) Charging different prices or rates (B) Charging higher prices or rates for 
for goods or services, including through goods or services, including through 
the use of discounts or other benefits or the use of discounts or other benefits or 
imposing penalties. imposing penalties. 


(C) Providing a different level or 
quality of goods or services to the 
consumer. 

(2) Nothing in this subdivision 
prohibits a business from charging a 
consumer a different price or rate, or 

from providing a different level or 

quality of goods or services to the 
consumer, if that difference is 

reasonably related to the value 

provided to the consumer by the 

consumer’s data. 

(b) (1) A business may offer financial 

incentives, including payments to 

consumers as compensation, for the 

collection of personal information, the 

sale of personal information, or the 

deletion of personal information. A 

business may also offer a different 
price, rate, level, or quality of goods or 

services to the consumer if that price or 

difference is directly related to the 
value provided to the consumer by the 
consumer’s data. 

(2) A business that offers any financial 

incentives pursuant to subdivision (a), 

shall notify consumers of the financial 

incentives pursuant to Section 

1798.135. 

(3) A business may enter a consumer 

into a financial incentive program only 

if the consumer gives the business prior 

opt in consent pursuant to Section 

1798.135 which clearly describes the 


(C) Providing a lower level or quality 
of goods or services to the consumer. 

(2) Nothing in this subdivision 
prohibits a business from offering a 
different price, rate, level, or quality 
of goods or services to a consumer, 

including offering its goods or 
services for no fee, if any of the 
following are true: 

(A) The offering is in connection 
with a consumer’s voluntary 
participation in a loyalty, rewards, 
premium features, discount, or club 
card program. 

(B) That difference is reasonably 

related to the value provided by the 
consumer’s data. 

(C) The offering is for a specific 
good or service whose functionality is 
reasonably related to the collection, 
use, or sale of the consumer’s data. 

(b) As used in this section, “loyalty, 
rewards, premium features, discount, 
or club card program” includes an 
offering to one or more consumers of 
lower prices or rates for goods or 
services or a higher level or quality 
of goods or services, including 
through the use of discounts or other 
benefits, or a program through 
which consumers earn points, 
rewards, credits, incentives, gift 
cards, or certificates, coupons, or 
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material terms of the financial incentive access to sales or discounts on a 
program, and which may be revoked by priority or exclusive basis, 
the consumer at any time. 

(4) A business shall not use financial 

incentive practices that are unjust, 
unreasonable, coercive, or usurious in 

nature. 


[1] Although approved unanimously, S.B. 561 was placed on Suspense File, where the committee 
sends bills with an annual cost of more than $150,000, to be considered following budget 
discussions. The bill will not move forward until the Appropriations Committee releases it for a vote. 

[2] The Senate Judiciary Committee had previously approved the bill 6-2 on April 9, 2019. 

[3] Please note that the following chart does not include language modifications to the IIPPA (A.B. 
981) or proposed amendments exempting information shared between automotive dealers and vehicle 
manufacturers (A.B. 1146), as they are of more limited application than the more general provisions that 
were included. If you have questions about those particular provisions, please reach out to discuss with 
us and we would be happy to provide further guidance. 


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding 
these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any 
member of the firm's Privacy, Cyber security and Consumer Protection practice group, or the authors: 

H. Mark Lyon - Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) 

Cassandra L. Gaedt-Sheckter - Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com) 
Maya Ziv - Palo Alto (+1 650-849-5336, mziv@gibsondunn.com) 

Privacy, Cybersecurity and Consumer Protection Group: 

United States 

Alexander H. Southwell - Co-Chair, New York (+1 212-351-3981, asouthwell@gibsondunn.com) 
M. Sean Royal! - Dallas (+1 214-698-3256, sroyall@gibsondunn.com) 

Debra Wong Yang - Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com) 
Christopher Chorba - Los Angeles (+1 213-229-7396, cchorba@gibsondunn.com) 

RichardH. Cunningham - Denver (+1 303-298-5752, rhcunningham@gibsondunn.com) 
HowardS. Hogan - Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com) 

Joshua A. .lessen - Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, 

jjessen@gibsondunn.com) 

Kristin A. Linsley - San Francisco (+1 415-393-8395, klinsley@gibsondunn.com) 
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H. Mark Lyon - Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com) 

Shaalu Mehra - Palo Alto (+1 650-849-5282, smehra@gibsondunn.com) 

Karl G. Nelson - Dallas (+1 214-698-3203, knelson@gibsondunn.com) 

Eric D. Vandevelde - Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com) 
Benjamin B. Wagner - Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com) 
Michael Li-Ming Wong - San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, 

mwong@gibsondunn.com) 

Ryan T. Bergsieker - Denver (+1 303-298-5774, rbergsieker@gibsondunn.com) 

Europe 

Ahmed Baladi - Co-Chair, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com) 
James A. Cox - London (+44 (0)207071 4250, jacox@gibsondunn.com) 

Patrick Doris - London (+44 (0)20 7071 4276, pdoris@gibsondunn.com) 
Bernard Grinspan - Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com) 
Penny Madden - London (+44 (0)20 7071 4226, pmadden@gibsondunn.com) 
Jean-Philippe Robe - Paris (+33 (0)1 56 43 13 00, jrobe@gibsondunn.com) 
Michael Walther - Munich (+49 89 189 33-180, mwalther@gibsondunn.com) 
Nicolas Autet - Paris (+33 (0)1 56 43 13 00, nautet@gibsondunn.com) 

Kai Gesing - Munich (+49 89 189 33-180, kgesing@gibsondunn.com) 

Sarah Wazen - London (+44 (0)20 7071 4203, swazen@gibsondunn.com) 
Alejandro Guerrero - Brussels (+32 2 554 7218, aguerrero@gibsondunn.com) 

Asia 

Kelly Austin - Hong Kong (+852 2214 3788, kaustin@gibsondunn.com) 

Jai S. Pathak - Singapore (+65 6507 3683, jpathak@gibsondunn.com) 
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